DEV Community

Cover image for Simple CTF - TryHackMe Walk Through
ChigozieCO
ChigozieCO

Posted on

Simple CTF - TryHackMe Walk Through

Hey dears, today we crush this capture the flag activity. TryHackMe is an easy way to immediately get hands on with your learning.

The Simple CTF room is a beginner-level CTF on TryHackMe. It introduces you to some necessary skills needed for all CTFs including reconnaissance done via port scanning, enumeration, exploitation, privilege escalation and further research.

This Room is available at TryHackMe Simple CTF

Q1. How many services are running under port 1000?

As with every hacking activity we start with information gathering, we need to know what exactly we're dealing with. For that we run the port scans with the command:

sudo nmap -sS -p- -T4 <_machineIP_> -vv
Enter fullscreen mode Exit fullscreen mode

Here's what our scan does

-sS to run a Syn/Stealth scan
-p- to scan all ports
-T4 to speed up the scan
-vv for very verbose so we can monitor progress of the scan

Open ports-Simple Ctf TryHackMe

A. 2

Q2. What is running on the higher port?

From our scan we saw that three ports were open, 2 of the ports (port 21 and port 80) are under 1000 and port 2222. To answer this question we will run a command to discover the services and OS being run on these open ports.

To do this, we will use the below command:


nmap -A -p21,80,2222 -T4 <_MachineIP_>
Enter fullscreen mode Exit fullscreen mode

Simple Ctf TryHackMe

A. ssh

Investigating the open Ports

Our result from the above nmap scan shows us that port 21 has an FTP service, port 80 has an HTTP service and port 2222 has an ssh service.

We will investigate these open ports further.

Beginning with port 21 we see from our scan result that “Anonymous FTP login allowed” so we're definitely logging into this baby. Using the command:

ftp <_MachineIP_>
Enter fullscreen mode Exit fullscreen mode

Simple Ctf TryHackMe

We list the contents of the FTP server with the ls command, this process leads us to find a pub directory.

ls
Enter fullscreen mode Exit fullscreen mode

Simple Ctf TryHackMe

Next we navigate into the pub directory and we find a file named “ForMitch.txt”.

Simple Ctf TryHackMe

You already know we're gonna download it so our nosy asses can read it, it may contain useful information!

Simple Ctf TryHackMe

Well Bummer, nothing really interesting in the note, be sure to remember that Mitch has a crackable password, as per the note (shown below). Moving on to port 80.

Simple Ctf TryHackMe

We will investigate port 80 next.

As we previously discovered that port 80 is running the http service we will use the Firefox browser, so open a new tab and enter you target machine IP. This brings up an “Apache2 Ubuntu Default Page”. Not too exciting.

Simple Ctf TryHackMe

Enumeration

To unearth any hidden directories we will run Dirb, a web content scanner to search for any hidden directories.

DIRB looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the responses. DIRB comes with a set of preconfigured attack wordlists for easy usage but you can use your custom wordlists.

dirb http://<_MachineIP_> /usr/share/dirb/wordlists/common.txt  
Enter fullscreen mode Exit fullscreen mode

From our scan we find robot.txt and simple, further investigation of the robots.txt reveals that it disallows the crawling of User-agents on the '/openemr-5_0_1_3' directory found there.

Simple Ctf TryHackMe

Let's see if there's anything we can find in the '/openemr-5_0_1_3' directory

The 'openemr-5_0_1_3' directory gives us a 404 error, indicating there's nothing useful there.

Would we have any luck with the simple directory we found?

http://<_MachineIP_>/simple 
Enter fullscreen mode Exit fullscreen mode

This seems interesting, it opens up a a CMS system. Quickly reading through the page we can see that it is Simple CMS version 2.2.8.

Simple Ctf TryHackMe

Running a quick google search or a search on exploit-db.com for known exploits associated with it and we can see that there is indeed an exploit. This will help us answer Q3 and Q4.

Simple Ctf TryHackMe

Q3. What's the CVE you're using against the application?

A. CVE-2019-9053

Q4. To what kind of vulnerability is the application vulnerable

A. SQLi

Exploitation

Download the exploit from exploit-db.com and run the command

python simple.py -u http://<_MachineIP_>/simple --crack -w /usr/share/wordlists/rockyou.txt
Enter fullscreen mode Exit fullscreen mode

Simple Ctf TryHackMe

Executing the script however gives us a syntax error but from the error message we can see that we just need to enclose the print statements in parenthesis, so we do that and proceed.

This will help us discover the password and be able to answer question 5

Q5. What's the password?

A. secret

Q6. Where can you login with the details obtained?

A. We're going to ssh into the machine

Enumerating FTP

We ssh into the machine using this command

ssh -p 2222 mitch@<_MachineIP_>
Enter fullscreen mode Exit fullscreen mode

Enter the password we found in Q5, next we run the 'whoami' command just to confirm that we're logged in as Mitch.

whoami
Enter fullscreen mode Exit fullscreen mode

List the contents of the directory

ls
Enter fullscreen mode Exit fullscreen mode

Investigate the contents of the file we find there to get the answer to Q7.

cat user.txt
Enter fullscreen mode Exit fullscreen mode

Simple Ctf TryHackMe

Q7. What's the user flag?

A. G00d j0b, keep up!

Navigate back to the home directory and list its contents we would find the other user.

Simple Ctf TryHackMe

Q8. Is there any other user in the home directory? What's its name?

A. sunbath

Priviledge Escalation

Mitch is currently just a regular user we should see if we can you get root priviledge.

Let's see if any programs run as root user.

sudo -l
Enter fullscreen mode Exit fullscreen mode

Simple Ctf TryHackMe

We can see that we have root priviledge on vim binary, this is great for us as hackers but bad for the target machine.

Q9. What can you leverage to spawn a privileged shell?

A. Vim

gtfobins shows us how we can use vim with sudo to escalate our privileges. We do this with the following command:

sudo vim -c ':!/bin/sh'
Enter fullscreen mode Exit fullscreen mode

Simple Ctf TryHackMe

Whoop whoop, anyone else doing a happy dance. We did it baby!!!

Finally

The '#' already indicates to us that we have root priviledge but we still run the 'whoami' command to show off.

Simple Ctf TryHackMe

Q10. What's the root flag?

Navigate to the root directory, list its contents and capture the flag contained in root.txt

Simple Ctf TryHackMe

A. W3ll d0n3. You made it!

Congratulations dears, Mitch has officially been fully hacked. Cheers to that.
Thanks for staying with me this long.

Top comments (0)